Augusto Paes de Barros blog on many things cybersecurity.
Friday, October 8, 2021
Do Not Look For A Root Cause
Reading about root cause analysis (RCA) for security breaches really freaks me out.
Root causes are behind accidents and other unintentional events. Not breaches.
Do you want to know the root cause of a breach? No, it is not a vulnerability that was left unpatched. If you follow the chain of events, someone decided to look for it, assembled a plan of attack, was driven by a motivation...all that at the attacker side.
Defence should look at breaches from a multi-factor point of view. Many things have to go wrong for an attack to be successful and cause harm. You may have a vulnerability providing initial access, but what about allowing privileged access? Lateral movement? Exfiltration, or mass encryption for impact? And why weren't you able to detect and respond to each one of those steps?
Post-mortem analysis usually take the approach of looking at multiple points and is better suited for security incidents. I usually do not like to use project management techniques for security needs, but on this case, I believe it makes sense.
In short, no RCA for your breaches. Take a broader approach and perform a post-mortem analysis.